Monthly Archives: January 2014

Malware related to short message services occupies a large portion of today’s Android malware families. These include premium SMS fraud and SMS spying. Such SMS-based malware apps are actively distributed via unofficial or malicious app stores, but it is rare to find them on Google Play, the world’s largest official Android app store. Nonetheless, we have recently seen SMS Trojans on Google Play.

McAfee has found on Google Play two adult-oriented apps in Vietnamese that download a malicious SMS Trojan app impersonating RealPlayer. The malware comes from a remote server and persuades careless users to install and activate it as a DeviceAdmin app.

Figure.1: Malicious apps on Google Play that download an SMS Trojan.

These apps look like adult-content viewers, yet at installation they request excessive permissions that are unnecessary for this kind of viewer app.

Just after launch, they show a dialog offering to download the latest RealPlayer app for viewing adult movies in HD resolution. The malware downloads RealPlayer.apk if the user accepts.

Figure.2: The dialog to trick users into downloading and installing a fake RealPlayer.

After installation, the user is prompted to accept the first app’s update because the downloaded app also has the same package name as the one that initiated the download.

Figure.3: The confirmation dialog to update the original app with the downloaded one.

The downloaded app also requests excessive permissions, including SMS-related ones. It requests users to activate it as a DeviceAdmin app. It tries to persuade users by saying “Your boss told you to do this,” although that doesn’t really sound very persuasive. Finally it removes its app icon from home screen to make it invisible to the user.

Figure 4: The confirmation dialog to activate the fake app as a DeviceAdmin.

The downloaded app, which still claims to be RealPlayer, does not allow users to view adult movies in HD. Instead it registers several broadcast receivers triggered by the completion of the device’s boot sequence, adds or removes packages and SMS receipts, and invokes background services that communicates with its control server via HTTP, as seen in typical SMS Trojans on Android.

The app contains the following features:

Sends SMS messages to a phone number with a text message, both specified in the command from the server.

Updates the app by downloading the new app package, based on the device’s IMEI and the app package version.

Discards SMS message received from a predefined set of phone numbers.

Disables and enables these activities, based on server requests.

The app does nothing special as a DeviceAdmin for now because the current implementation is empty. So it just makes users take extra steps to disable it when uninstalling. However, the Trojan could be updated to a more malicious version at the server’s request.

Installing this malware and others distributed from outside Google Play can be easily blocked if users disable the “installation of apps from unknown sources” option in the device settings. Users need to be very careful about installing apps, especially when they request more permissions than their expected features warrant.

We should be wary of social engineering techniques to drop malware, even the process is initiated by apps on Google Play.

From advances in advertising to the digital developments affecting e-commerce and retail, a panel of 50 media and technology professionals highlight what they think will be the main trends, predictions and talking points of 2014.

Anything our panel have missed? Let us know your own personal predictions for the year ahead on Twitter@GdnMediaNetwork.

Somewhat controversial websites or apps called chat friend finders, or ID BBS (Bulletin Board System) are spreading widely in Japan. They allow users of well-known communication services like LINE and Kakao Talk to make friends with others by publishing profiles and service IDs, yet without disclosing real phone numbers and email addresses. Such sites and apps are not officially supported by the service operators and are usually discouraged, due to the potential danger. It appears that some users are being involved in crimes caused by criminal “friends.”

McAfee Labs has recently found suspicious chat friend finder apps on Google Play that target Android device users. These apps allow users to register and publish their IDs for several well-known communication services but at the same time secretly leak personal information such as phone numbers and Google account names (Gmail addresses in most cases).

Some of these apps seem to mainly target Japanese users because they support a Japanese interface, as well as some other languages, and also support a Japanese-specific communication service like Mixi. On the other hand, we guess that the apps were created by Korean-speaking developer(s) because the Japanese is sometimes unnatural and we can see Korean chat messages. Plus, the common server used by all of these apps appears to be located in South Korea, according to its IP address.

The contents of the apps description page on Google Play look as if they were copied and pasted or reused from similar Japanese apps with slight modifications. For example, the page says users should accept the terms and conditions in the app’s dialog box at initial launch–yet there is no dialog box. We doubt these apps are carefully or securely designed.

Figure.2: An example of a dangerous chat friend finder app.

One of these apps allows users to publish their service IDs for LINE, Kakao, Mixi, and Skype as well as profile information like photograph, nickname, gender, and residential area. These pieces of information are disclosed to other users on the apps, enabling one to approach or to be approached by others. The apps also support chatting.

However, these apps secretly send users’ phone numbers, email addresses (Google account name), IMEI, and SIM serial numbers to a server managed by the app developer. Clearly, there is higher risk in storing personal information like phone numbers and email addresses in a form associated with various service IDs, public profile information, and chat contents than in storing that data separately. Once this data is leaked, malicious parties can approach specific users using their phone numbers or email addresses, and knowing the victims’ preferences or activities in various communication services.

The secretly collected personal information and its association with various IDs and user profile information are not disclosed to users. As always, there are risks that security vulnerabilities in the apps or their data management server could cause the information to leak to malicious third parties.

At installation these apps request many kinds of permissions. These requests seem excessive for the functions of the apps. The dangerous information leak is related to only two requests: READ_PHONE_STATE and GET_ACCOUNTS. The remaining requests appear to be used by ad modules in the apps or may be unused.

Users should be very careful about permissions requested by Android apps, and also confirm that the app provider is trustworthy before providing any permissions.

Figure.4: These apps request many kinds of permissions.

Using chat ID BBS sites or apps, even without information leaks, is dangerous. These new apps will expose careless users to much higher risks of having their personal information associated with anonymous IDs and various messaging services. If users really want to use chat ID BBSs, we recommend that they visit simple websites rather than use apps to prevent unnecessary information leaks.

Last year we saw an attack targeting Android device users in which more than 2,400 malicious one-click fraud apps were published on Google Play in Japan. The attack has calmed down since October 2013, but it seems the scammers are still looking for opportunities to victimize smart device users in Japan.

As we enter 2014, McAfee has again discovered suspicious apps on Google Play in Japan. These apps lead users to malicious one-click-fraud websites. Ten apps have been published under one developer’s account, and the total number of downloads amounts to at least 5,000 as of this writing.

Unlike many apps discovered last year that simply displayed fraudulent websites, these new apps look harmless and behave just as adult image viewer applications. However, they enable a push notification from the attacker’s server based on GCM (Google Cloud Messaging) after their installation. The attacker can at any time send a push notification message containing a URL to a malicious one-click-fraud site, and users are sent to these risky sites via a browser once they tap on the message displayed on the system notification bar.

Figure.2: The apps implemented as an adult image viewer.

Figure.3: Push notification messages that lead users to a malicious one-click-fraud site.

The notification message is pushed once or twice per a day, and the destination URLs include not only one-click-fraud sites but also fraudulent adult dating service sites. Because this notification message is displayed even when the apps are not active and the origin of the message is intentionally undisclosed, it can confuse users in many cases and expose them to risks.

McAfee Mobile Security detects these newly found apps as Android/BadPush.B.

Tricking users into visiting one-click-fraud sites is not limited to Android apps on Google Play. Android adult apps on unofficial websites can also do this.

Figure.4: Examples of unofficial apps that lead users to one-click-fraud sites.

We have also confirmed that the scammers are tricking users on many Japanese blogs related to adult contents, as well as on Twitter, LINE, Kakao Talk, and others. Because these attacks are web-based, not only Android device users but also iOS device users should be careful.

McAfee Mobile Security detects this kind of Android app related to the scam activities as a variant of Android/OneClickFraud, and also blocks web browser access to such one-click-fraud sites on Android.

Although we can’t be sure that an attack on Google Play like last year’s will happen again, we can easily imagine that one-click scammers will continue to look for careless victims, lead them to malicious sites, and trick them into paying money using various tactics.

As always, users should ignore any approach from and payment request by scammers even if the users accidentally visit fraudulent websites and register for these services.

Beyonce sings about “if you like it you better put a ring on it” [her finger], but I find that slogan can work (with a slight change) for your personal information on your mobile phones and tablets. So I prefer the “if you like it you better put a PIN on it,” referring to having a personal identification number (PIN) or passcode to lock your smartphone or tablet.

Your device and the private data it holds are very, very attractive to thieves and hackers. Yet, most of us don’t protect our smartphones or tablets—and the private information they contain—anywhere near as well as we do our wallets and PCs. By not protecting your mobile devices, you could be exposing yourself to financial fraud, identity theft and privacy loss.

And these days, privacy matters more than ever. As we become more and more dependent on our digital devices and having our personal information available on cloud (stored on the Internet), we come more vulnerable.

With today being Data Privacy Day, it’s a good time to review your privacy settings and practices. To stress the importance of privacy, Intel announced a new push for consumers called “Crack the Pin,” to encourage people to take simple steps toward privacy everywhere by locking, tracking, and encrypting their devices. Go to www.mcafee.com/PINit to try and crack the pin to learn about why it’s critical to protect your mobile devices with a PIN and try and win a Samsung Galaxy tablet or McAfee LiveSafe™ service if you guess the PIN!

Here are some tips to remember:

Put a PIN on all your mobile devices (and don’t use easy ones like 1234 or 1111)

Consider not sharing your PIN/password—this might be a tough one, but in the long run it will save you from possible heartache.

Never use the “remember me” function on your apps or mobile web browser, and take care to log out of your accounts

To join the conversation use #PINit or follow McAfee on Twitter @McAfeeConsumer or Facebook. And help take the necessary steps to keep your data private. Go to www.mcafee.com/PINit and learn how you can be entered to win an Intel-inspired tablet or subscriptions to McAfee LiveSafe.